Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 398190 Cookbook: browseurl.jbs Time: 04:57:58 Date: 27/04/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report https://t.co/zi3FWnDVDp 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 9 Private 9 General Information 9 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 15 No static file info 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 15 UDP Packets 17 DNS Queries 17 DNS Answers 17 HTTPS Packets 17 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 19 Analysis Process: iexplore.exe PID: 5732 Parent PID: 792 19 General 19 File Activities 19 Copyright Joe Security LLC 2021 Page 2 of 20 Registry Activities 19 Analysis Process: iexplore.exe PID: 5780 Parent PID: 5732 19 General 19 File Activities 19 Registry Activities 20 Disassembly 20 Copyright Joe Security LLC 2021 Page 3 of 20 Analysis Report https://t.co/zi3FWnDVDp Overview General Information Detection Signatures Classification Sample URL: https://t.co/zi3FWnD No high impact signatures. VDp Analysis ID: 398190 Infos: Most interesting Screenshot: Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80% Startup System is w10x64 iexplore.exe (PID: 5732 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 5780 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5732 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Copyright Joe Security LLC 2021 Page 4 of 20 • Compliance • Networking • System Summary Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Copyright Joe Security LLC 2021 Page 5 of 20 Hide Legend Behavior Graph Legend: ID: 398190 Process URL: https://t.co/zi3FWnDVDp Signature Startdate: 27/04/2021 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped Is Windows Process Number of created Registry Values favicon.ico started Number of created Files Visual Basic Delphi iexplore.exe Java .Net C# or VB.NET C, C++ or other language 2 61 Is malicious Internet started iexplore.exe 2 36 t.co auspost-mypost-track.from-id.com 192.168.2.1 104.244.42.133, 443, 49680, 49681 66.29.133.243, 443, 49682, 49683 unknown TWITTERUS ADVANTAGECOMUS unknown United States United States Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 6 of 20 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://t.co/zi3FWnDVDp 0% Virustotal Browse https://t.co/zi3FWnDVDp 0% Avira URL Cloud safe Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link https://auspost-mypost-track.from-id.com/do/-track.from-id.com/o/Root 0% Avira URL Cloud safe https://auspost-mypost-track.from-id.com/o/ 0% Avira URL Cloud safe https://auspost-mypost-track.from-id.com/do/Root 0% Avira URL Cloud safe Copyright Joe Security LLC 2021 Page 7 of 20 Source Detection Scanner Label Link https://auspost-mypost-track.from-id.com/o/z 0% Avira URL Cloud safe getbootstrap.com) 0% Avira URL Cloud safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation t.co 104.244.42.133 true false high auspost-mypost-track.from-id.com 66.29.133.243 true false unknown favicon.ico unknown unknown false unknown Contacted URLs Name Malicious Antivirus Detection Reputation https://auspost-mypost-track.from-id.com/ false unknown https://auspost-mypost-track.from-id.com/do/ false unknown URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation https://auspost-mypost-track.from-id.com/do/ {E7359BFB-A74F-11EB-90E4-ECF4B false unknown B862DED}.dat.1.dr, ~DF634290F9 B3C49363.TMP.1.dr www.apache.org/licenses/LICENSE-2.0 bootstrap.min[1].css.2.dr false high https://auspost-mypost-track.from-id.com/do/-track.from- {E7359BFB-A74F-11EB-90E4-ECF4B false Avira URL Cloud: safe unknown id.com/o/Root B862DED}.dat.1.dr https://auspost-mypost-track.from-id.com/o/ ~DF634290F9B3C49363.TMP.1.dr false Avira URL Cloud: safe unknown https://auspost-mypost-track.from-id.com/do/Root {E7359BFB-A74F-11EB-90E4-ECF4B false Avira URL Cloud: safe unknown B862DED}.dat.1.dr https://auspost-mypost-track.from-id.com/o/z {E7359BFB-A74F-11EB-90E4-ECF4B false Avira URL Cloud: safe unknown B862DED}.dat.1.dr getbootstrap.com) bootstrap.min[1].css.2.dr false Avira URL Cloud: safe low Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Copyright Joe Security LLC 2021 Page 8 of 20 Public IP Domain Country Flag ASN ASN Name Malicious 66.29.133.243 auspost-mypost- United States 19538 ADVANTAGECOMUS false track.from-id.com 104.244.42.133 t.co United States 13414 TWITTERUS false Private IP 192.168.2.1 General Information Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 398190 Start date: 27.04.2021 Start time: 04:57:58 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 32s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://t.co/zi3FWnDVDp Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@3/14@3/3 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://auspost-mypost-track.from- id.com/ Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, ielowutil.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 88.221.62.148, 152.199.19.161 Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, ie9comview.vo.msecnd.net, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net Simulations Behavior and APIs No simulations Copyright Joe Security LLC 2021 Page 9 of 20 Joe Sandbox View / Context IPs No context Domains No context ASN No context JA3 Fingerprints No context Dropped Files No context Created / dropped Files C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E7359BF9-A74F-11EB-90E4-ECF4BB862DED}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 30296 Entropy (8bit): 1.8541284057279128 Encrypted: false SSDEEP: 192:rFZWZk2TWJutJlfJ/lMICBIBurfBuscsX:rLSzqJOJ9J+ICBIBurBusl MD5: 1D0CF13960287A3F78D182E4842A73B4 SHA1: 9FCD946292ABC924AE5EF4D9E9745990FB553901 SHA-256: FAA3E73D72507C7A769319DC130ACA752E4FBD8B709C03CE6241ACD7C4C81516 SHA-512: 111C72389A0A6A75E89DEAADCADCB3F7DF3BC5F384C8DCF029826135012B30C2D8BE580556DB417BFF5618D7D75E6088F36BD0C925CF5EC7758408A849ABC96 4 Malicious: false Reputation: low Preview: .............................................................................................................................................................................................................................................................................